How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?
A NULL session connection is an unauthenticated connection to an NT/W2000 machine. Gaining NULL session access to an NT\W2000 system is the number one method for hackers to enumerating information about an NT\W2000 machine. From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks. See the below table for TCP/UDP ports and their use within NT\W2000. Keyword Decimal Description ————————————————————— loc-srv 135/tcp Location Service (RPC endpoint mapping) loc-srv 135/udp Location Service (RPC endpoint mapping) netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETB
Related Questions
- If I am running a console redirection session and a local user accesses the remote system, do I receive a warning message?
- How do I use the Linux screen command for running applications or commands from a remote session?
- Does turning off the local server video turn off the video on the remote vKVM session?
